add setting to define the samesite cookie policy

As mentioned in
dokuwiki#3994 (review)
there might be occasions when users might want to change the policy to a
stricter one or the somewhat more lenient Lax implementation of current
browsers.

Author: splitbrain

conf/dokuwiki.php

@@ -64,6 +64,7 @@
 $conf['disableactions'] = '';            //comma separated list of actions to disable
 $conf['auth_security_timeout'] = 900;    //time (seconds) auth data is considered valid, set to 0 to recheck on every page view
 $conf['securecookie'] = 1;               //never send HTTPS cookies via HTTP
+$conf['samesitecookie'] = 'Lax';         //SameSite attribute for cookies (Lax|Strict|None|Empty)
 $conf['remote']      = 0;                //Enable/disable remote interfaces
 $conf['remoteuser']  = '!!not set!!';    //user/groups that have access to remote interface (comma separated). leave empty to allow all users
 $conf['remotecors']  = '';               //enable Cross-Origin Resource Sharing (CORS) for the remote interfaces. Asterisk (*) to allow all origins. leave empty to deny.

inc/auth.php

@@ -434,7 +434,7 @@ function auth_logoff($keepbc = false) {
         'path' => $cookieDir,
         'secure' => ($conf['securecookie'] && is_ssl()),
         'httponly' => true,
-        'samesite' => 'Lax',
+        'samesite' => $conf['samesitecookie'] ?: null, // null means browser default
     ]);
 
     if($auth) $auth->logOff();
@@ -1267,7 +1267,7 @@ function auth_setCookie($user, $pass, $sticky) {
         'path' => $cookieDir,
         'secure' => ($conf['securecookie'] && is_ssl()),
         'httponly' => true,
-        'samesite' => 'Lax',
+        'samesite' => $conf['samesitecookie'] ?: null, // null means browser default
     ]);
 
     // set session

lib/plugins/config/lang/en/lang.php

@@ -106,6 +106,7 @@
 $lang['disableactions_rss'] = 'XML Syndication (RSS)';
 $lang['auth_security_timeout'] = 'Authentication Security Timeout (seconds)';
 $lang['securecookie'] = 'Should cookies set via HTTPS only be sent via HTTPS by the browser? Disable this option when only the login of your wiki is secured with SSL but browsing the wiki is done unsecured.';
+$lang['samesitecookie'] = 'The samesite cookie attribute to use. Leaving it empty will let the browser decide on the samesite policy.';
 $lang['remote']      = 'Enable the remote API system. This allows other applications to access the wiki via XML-RPC or other mechanisms.';
 $lang['remoteuser']  = 'Restrict remote API access to the comma separated groups or users given here. Leave empty to give access to everyone.';
 $lang['remotecors']  = 'Enable Cross-Origin Resource Sharing (CORS) for the remote interfaces. Asterisk (*) to allow all origins. Leave empty to deny CORS.';

lib/plugins/config/settings/config.metadata.php

@@ -158,6 +158,7 @@
 );
 $meta['auth_security_timeout'] = array('numeric');
 $meta['securecookie'] = array('onoff');
+$meta['samesitecookie'] = array('multichoice','_choices' => array('','Lax','Strict','None'));
 $meta['remote']       = array('onoff','_caution' => 'security');
 $meta['remoteuser']   = array('string');
 $meta['remotecors']   = array('string', '_caution' => 'security');